Hacked (pt.3) or how to clean a compromised WordPress site

The word 'hacked' within ones and zeros.
Source: iStock (10623991)

This is the kind of post that I’ve thankfully not needed to post for over nine years. Today one of my WordPress sites got compromised.

It all began with an email this afternoon from AntiVirus a WordPress plugin that scans your theme templates for malicious code injections. The email read:

The daily antivirus scan of your blog suggests alarm.

I had to laugh at the phrase “suggests alarm”. But after I laughed, I accepted their suggestion and for a few moments felt alarm, before realising that panic was no use and besides, I knew what to do.

Two candidates

I’m still not 100% sure what caused the code injection but I currently suspect two potential sources of infection:

MailPoet

I may have been one of 50,000+ victims of the MailPoet vulnerability that was made public days before I went down with viral meningitis! I had that

As the MailPoet site states:

There was a security issue in all the versions of MailPoet lower to 2.6.8, this security issue was making your site highly vulnerable (blog post).

It can really only have been a plugin vulnerability as I have to manually unlock FTP access whenever I want to upload anything. So it had to be an ‘inside job’. And I had MailPoet (formerly WYSIJA) installed that account.

Outdated theme

Alternatively, it may have been a premium theme that I was using that had the Slider Revolution plugin embedded. This was reported to have a critical vulnerability last month.

I thought I had patched it…, but, perhaps with my meningitis-muddled head I didn’t do it properly.

How to clean an infected WordPress site

Whatever it was, it injected a bunch of obsfucated code into the top of all the PHP files on that site. A give away was that in the WordPress plugins screen all the plugins were disabled and reporting “the plugin does not have a valid header”.

If something similar happens to you, then you might find the following steps useful:

  1. Change passwords for:
    1. WordPress admin
    2. FTP
    3. MySQL database
  2. Backup all the files on the site. (That took ages!)
  3. Delete all WordPress core files including themes and plugins (Do not delete user-uploaded content, e.g. images, PDFs, etc.)
  4. Download clean installation of WordPress.
  5. Upload clean WordPress files (except wp-config-sample.php).
  6. Rename wp-config-sample.php to wp-config.php, update with database details and upload.
  7. Upload a clean version of your theme (remove themes that you are not using).
  8. Install and activate required plugins including antivirus and security plugins.
  9. Check other PHP files for compromise, not just WordPress files.

I found this post on the WordPress support site useful: I am getting hacked evry two weeks? Help please. There are some useful links listed on how to clean a WordPress installation.

The main lesson for me to learn from this episode is to make sure I never get viral meningitis again when there are two (or more) critical vulnerabilities in the wild!

Oh, yeah, and always keep your WordPress themes and plugins updated… and if in doubt just delete them before they can cause any problems.

Update

Sunday 19 October 2014

It looks like, based on this blog post from Sucuri WordPress Websites Continue to Get Hacked via MailPoet Plugin Vulnerability that the source of the infection was indeed MailPoet.

Post Express Delivery email is malware spam!

I received this email this afternoon:

Post Express Delivery. Package is available for pickup. NR 67433

Hello.

Post notification No.17134

The company could not deliver your package to your address. Your package has been returned to the Post Express office. The reason of the return is “Incorrect delivery address of the package”

Please attention!

Attached to the letter mailing label contains the details of the package delivery. Please print out the invoice copy attached and collect the package at our office

Thank you for attention.
Post Express Service.

Now, I am waiting for a parcel to be delivered. It should contain a wall clock for the bathroom as we had a nice one with a bird on it that is now on the wall in Reuben and Joshua’s bedroom. So, I have to be honest and say that I was tempted to open it.

But then I read the email again and these were the things that concerned me:

  1. “Hello.” Not “Hello Gareth”, just “Hello”.
  2. Who are “Post Express”? Never heard of them.
  3. The reason of the return is “Incorrect delivery address of the package”, but seemingly they managed to guess my correct email address, despite my delivery address being freely available in the BT Phone Book but my email address not…?!
  4. “Please attention!” — that certainly grabbed my attention. Not the most professional use of the English language I’ve ever received.
  5. “Attach to…” — oh, look! an attachment. A zip attachment, which if I were to open I’m pretty certain Symantec Norton AntiVirus 2011 would inform me contains a virus, or trojan, or other such malware software.

I just deleted the email.

More on AVG and Symantec

Interesting article on the Lockergnome blogs: AVG Announces Free One-Year License For Faulty Code.

It would appear that AVG was showing false positive results for genuine Windows files.  I experienced that too with both Windows files and WinAmp Pro, which after one AVG update told me was a virus or trojan.

Worryingly, after I moved to Symantec Norton Anti Virus 2009 it identified a couple of files as containing trojans, that I know I scanned with AVG after downloading and AVG falsely informed me were clean.

So far, I’m having a good experience with Norton Anti Virus 2009.  Good work Team Symantec!

Norton AntiVirus 2009 beta

Last month I got an email from someone who works with Symantec, the company that produces Norton AntiVirus, inviting me to be involved in their beta programme for Norton AntiVirus 2009.

No way! I thought initially. The reason that I moved away from Norton AntiVirus to AVG Free was due to the relatively massive hit on system resources that Norton imposed on my PC system.  It definitely slowed things down.

So I did a bit of reading and was delighted to read that Symantec have

The 2009 releases of Norton Internet Security and Norton AntiVirus were engineered to be fast, and light on system resources.

Reading on:

Norton AntiVirus 2009 provides fast and up-to-the-minute defence against all types of malicious software. It keeps your system protected without slowing it down.

New in 2009!

  • Innovative new architecture dramatically reduces the boot time impact, the scan time, the memory usage as well as the system footprint and the install time
  • Smart Idle Time Scheduler runs quietly in the background to let you work and play without disruption
  • Silent-Mode ensures your games and movies are never interrupted by alerts and security updates

It looks like Symantec have been listening to their users.  I’m going to give the beta a go and see what it’s like. I am very hopeful to be honest; other than the performance hit of previous versions I did like Norton AV.

What will be interesting is to compare the update file sizes compared with AVG Free, which is normally < 200-300 KB, so fabulously lightweight.

Update

Unfortunately … as soon as I tried to download the beta I got this message:

Thank you ... A system error has occurred.
Thank you … A system error has occurred.

Update 2

It took me about an hour but I was able to download the installation file.

Well, technically it wasn’t me.  It was Symantec Technical Support who connected to my PC via Remote Desktop and downloaded it from a different location, which was pretty poor show to be honest.

Tech support were okay — not very chatty, it must be said, and didn’t really keep me informed very well about what they were doing, but we got there in the end. Even if the whole process from looking up their tech support details to finishing the call took about an hour.

What he did was open the download page in my browser, asked me to enter my details, then he clicked the “Continue” button and watched the same error message that I’d got.

The conversation then went like this:

Mr Gareth Saunders: In good technical support tradition it would appear that the fault is at your end. 😉
Tech Support: Please wait

Viewers of BBC Scotland’s Chewin’ the Fat will likely be making some kind of “oooh!” sound while wiggling their fingers underneath their chin at this point!

So now I have the beta downloaded … it’s time for bed.

Seemingly it lasts for 7 days after which you have to install the latest build, I was told.

But from where?! Wasn’t the whole issue to do with the fact that I couldn’t download the latest build?

Mr Gareth Saunders: What else will I require to install it?  Do I require a licence key for this?
Tech Support: you can use it for 7 days and then you can install the latest build
Mr Gareth Saunders: Ok — and will it tell me where I can download the latest build?
Tech Support: You can contact us from the support option from the program and we will do that for you

I hope that part doesn’t involve Remote Desktop because I’m not happy giving control of my PC to software company tech support teams more than once a year!

My earlier feeling of hopefulness about Norton AntiVirus 2009 Beta is slowly draining away, I’m sorry to report.  Perhaps that’s my exhaustion speaking.

Still alive!

I’ve not been around much this week. Instead I’ve been in my bed fighting some nasty virus; the worst I’ve had in some time.

The symptoms: wheezy chest, irritating cough, sore head, sore joints, sore muscles, sore eyes, sore stomach, sore … everything! and feeling really sick.

I went to bed on Tuesday afternoon and have slept pretty much all the way through until this morning (sleeping about 19-20 hours a day). I’ve done very little else but sleep.

Plenty of fluids though (big bottles of water by my bed) and paracetamol every six hours or so (or whenever I woke up and remembered).

Many thanks to Planet Rock for the company during this time, and to the England cricket team for putting a smile on my face the last couple of evenings while watching the highlights show on Five.

I’m still not 100%, but at least I’m on my feet. Even if the world does look dizzy.